ClawHub

Retool

Security checks across malware telemetry and agentic risk

Overview

This Retool skill is not deceptive, but it gives an agent broad authenticated Retool control without enough limits or safety checks.

Install only if you intend to let an agent work broadly with Retool through Membrane. Use a least-privilege Retool account, verify the tenant before connecting, and require explicit review before any POST, PUT, PATCH, DELETE, user, permission, app, query, billing, or production-data operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The skill is presented as a Retool user-management integration, but it explicitly exposes a generic authenticated proxy that can issue arbitrary requests to Retool endpoints. That broadens the effective capability far beyond the declared scope and can enable unintended access to administrative, configuration, or data-modifying APIs if an agent uses it without strict constraints.

Context-Inappropriate Capability

Medium
Confidence
77% confidence
Finding
The documentation instructs the agent to create or discover connections automatically from a URL/domain and even build connectors when no app is found. For a Retool-specific skill, this introduces unnecessary authority expansion and increases the chance the agent connects to unintended targets or broadens access beyond the intended Retool tenant.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill permits direct proxy requests with unsafe methods such as POST, PUT, PATCH, and DELETE, but provides no warning, policy guardrails, or confirmation step for destructive operations. In an admin-oriented Retool context, this can lead to accidental or unauthorized modification of users, apps, queries, permissions, or other sensitive resources.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal